Okay, my intent is to try to keep my emails short with only one or two main comments per post. So, first, please give me the "big picture"? 1) What is the overall intent? Is the primary focus merely o

Okay, I'm through with my initial questions (at least until I first get some answers to the other questions that I asked), but I do have a few comments. To me one of the most significant indicators re

Hello. This is my first post to this mailing list. At the urging of some other OWASP colleagues, I recently completed filling out all the CII Badging for the OWASP ESAPI 2.x project (/ESAPI/esapi-java

Greeting to the list members. Excited to see this project moving. OWASP Foundation www.owasp.org with rough concensous is also going to intergrate into the gamification process and drive all projects

Hi All, The section on Dynamic Analysis appears to be mandatory. My application is pretty much all Puppet code and I'm not quite sure how to perform dynamic analysis on this code. Any suggestions woul

We have at least one project that doesn't have full HTTPS support on their project sites (sites_https). We already mentioned Let's Encrypt, but their case, the problem seems to be that Github lacks na

All - here's a press release with more information about the badging project launch: https://www.coreinfrastructure.org/news/announcements/2016/05/free-badge-program-signals-what-open-source-projects-

I suspect everyone here already knows, but in case you didn’t, we’ve officially launched. That doesn’t mean the work ends; in some sense, it’s only beginning. Now that people are seriously trying to g

Hi list -- A topic near and dear to my heart is how both open source and proprietary software handle vulnerability disclosures. The National Telecommunications and Information Administration, part of

I propose that we try (as a group) to create a potential criterion for cryptographic signatures. We can then decide if it's appropriate to add at this time & at this level. Here's a first cut (markdow

Here’s info for those are co-developing the BadgeApp application… A *big* thanks to Dan Kohn, who fixed our test framework so that we can include web browser tests with Javascript. We’ve had the capab

Hi, Hope I'm not too late to propose a change. I'm currently on a mission to tell every foss dev that they should test their stuff with asan. Now there currently already is a rule for that in the badg

I'm thinking that we can combine at least 2 issues involving project display: https://github.com/linuxfoundation/cii-best-practices-badge/issues/236 (gamification) https://github.com/linuxfoundation/c

I plan to switch the BadgeApp to use PostgreSQL everywhere as the underlying database system. Details below. This will ONLY affect people developing/running the BadgeApp themselves. However, if you're

If there are any last-minute proposals for criteria changes, please speak up now. We intend to launch the “best practices” project soon. Feedback has generally been very positive (thank you everyone!)

Currently criterion "project_homepage_https" reads: "It is SUGGESTED that the project website use HTTPS, not HTTP. Future versions of these criteria may make HTTPS a requirement. (The badging applicat

I’ve recently realized that some of the criteria aren’t as clear as I intended them to be. Projects produce software, and they use websites (etc.) to collaborate developing the software. In some crite

I’ve pushed to production the criteria additions I mentioned yesterday (not including HTTPS as a MUST). I think all of them have been sitting in the issue tracker for a while, so hopefully they’re not

We’re on the final stretch before the “official” release of the best practices badge. I’m trying to wrap up all proposed changes to the criteria. I didn’t want to change the criteria just before a liv

I've filled it out before, but I seem to have lost the web site address, and I couldn't easily figure it out from GitHub or the various news announcements. Thanks! -- Alan